Author

Topic: Is it safe to encrypt your private keys with BIP38 and bitaddress.org? (Read 1198 times)

legendary
Activity: 2590
Merit: 3015
Welt Am Draht
If you are 100% sure your computer is safe from spyware...

It makes far more sense to do it with a machine that'll never see the internet again. You can get something that'll do the job for $20. If you ever do need to access the internet again with it just give it a comprehensive wipe.

It's far more reassuring doing all your crypto stuff on something you know can't possibly leak.
legendary
Activity: 3542
Merit: 1965
Leading Crypto Sports Betting & Casino Platform
You do not need the site to "decrypt" the private keys. This can be done with other sites and software, where you sweep the private key to use those bitcoins. You use that site to generate your paper wallets. < public & private key combination >

Just take note : Simply generating this offline are not a fail-safe method to protect the information that were generated. Some Malware can still log information in "offline" mode and then make that available to their "master" when the computer are online again.

I prefer to use a cheap second-hand computer that will never be used online again, to generate my paper wallets. ^smile^
staff
Activity: 3458
Merit: 6793
Just writing some code
instead of using betaadress i think you should try this https://keybase.io/warp/ they scrypt algorithm and pbkdf2 with ability to use salt key

they describe there algorithm like this.

s1    =   scrypt(key=(passphrase||0x1), salt=(salt||0x1), N=218, r=8, p=1, dkLen=32)
s2    =   pbkdf2(key=(passphrase||0x2), salt=(salt||0x2), c=216, dkLen=32, prf=HMAC_SHA256)
keypair   =   generate_bitcoin_keypair(s1 ⊕ s2)
No, don't do that. That is making a brainwallet, which is not what OP is asking. It is not encrypting private keys or using BIP 38 or doing anything of the sort that OP is asking about. Please do not post if you don't know what you are talking about.
full member
Activity: 138
Merit: 100
instead of using betaadress i think you should try this https://keybase.io/warp/ they scrypt algorithm and pbkdf2 with ability to use salt key

they describe there algorithm like this.

s1    =   scrypt(key=(passphrase||0x1), salt=(salt||0x1), N=218, r=8, p=1, dkLen=32)
s2    =   pbkdf2(key=(passphrase||0x2), salt=(salt||0x2), c=216, dkLen=32, prf=HMAC_SHA256)
keypair   =   generate_bitcoin_keypair(s1 ⊕ s2)


full member
Activity: 840
Merit: 128
Use a Raspberry Pi.
Burn an SD Card with Linux, run the saved (in a memory stick)  Bitaddress webpage using the RPi web browser and make as many keys as you wish.
Print the keys in a printer (you can connect it to RPi too, google for more informations) or encrypt the list in the the memory stick using pgp.
Format or destroy the SD Card and never use the memory stick in a computer.
hero member
Activity: 752
Merit: 501
Yes you can do this safely.
First, wipe your computer first to make sure there are no viruses.
Turn turn off internet when you get to Bitaddress.
You can still generate addresses with the internet off.
Finally, print the keys and voila, you have secure keys!
Unless you have a virus no one will know them.
legendary
Activity: 3038
Merit: 4418
Crypto Swap Exchange
If the keyloggers are so prevalent and powerful aren't we at risk of having masterseed or mnemonic stolen everytime we TYPE it in any type of wallet that takes keyboard input.
Yes. That's why you have to be careful about what you download and click.
Is there a way around it, like for example displaying randomly ordered keyboard on screen within such software. Why is that not implemented or am I being naive without being aware of it?
Yes. It's called on-screen keyboard. Most wallet don't implement it and I can see why. If there is a keylogger in your computer, there's an extremely high chance of your computer also having other malware (RAT) and that can do whatever they want with your wallet.
full member
Activity: 148
Merit: 106

Those kind of malwares are fairly common and almost any malware have these capabilities. Even a keylogger will work, they just need your encrypted key and the password and they can do whatever they want.

If you want to be safe, you HAVE to install a clean OS offline and load the website in your offline instance. Your cold storage can be considered as compromised once the computer it has is connected to the internet.

If the keyloggers are so prevalent and powerful aren't we at risk of having masterseed or mnemonic stolen everytime we TYPE it in any type of wallet that takes keyboard input.
Is there a way around it, like for example displaying randomly ordered keyboard on screen within such software. Why is that not implemented or am I being naive without being aware of it?
legendary
Activity: 4256
Merit: 1313
Is there such a spyware that can simultaneously log your keystrokes and capture your screen because that would be required to steal your encrypted private keys if you only intended to stamp them for example on a metal plate after seeing them on a screen within an offline version of bitaddress.org?
Those kind of malwares are fairly common and almost any malware have these capabilities. Even a keylogger will work, they just need your encrypted key and the password and they can do whatever they want.


Thanks. So the keylogger gets my password but if I only write down an encrypted key and than shut bitaddress.org I should be half-way safe because it would have the password but not what it unlocks - namely encrypted private key.

You also should clear the browser cache, quit the browser etc after doing it.
full member
Activity: 148
Merit: 106
Is there such a spyware that can simultaneously log your keystrokes and capture your screen because that would be required to steal your encrypted private keys if you only intended to stamp them for example on a metal plate after seeing them on a screen within an offline version of bitaddress.org?
Those kind of malwares are fairly common and almost any malware have these capabilities. Even a keylogger will work, they just need your encrypted key and the password and they can do whatever they want.


Thanks. So the keylogger gets my password but if I only write down an encrypted key and than shut bitaddress.org I should be half-way safe because it would have the password but not what it unlocks - namely encrypted private key.
legendary
Activity: 4256
Merit: 1313
I do! Thanks. I would only put my mind at more ease knowing that recreating something like BIP38 protocol is relatively simple task for the educated.

You can also fork it on github which gives you another online backup of it.
legendary
Activity: 3038
Merit: 4418
Crypto Swap Exchange
Is there such a spyware that can simultaneously log your keystrokes and capture your screen because that would be required to steal your encrypted private keys if you only intended to stamp them for example on a metal plate after seeing them on a screen within an offline version of bitaddress.org?
Those kind of malwares are fairly common and almost any malware have these capabilities. Even a keylogger will work, they just need your encrypted key and the password and they can do whatever they want.

If you want to be safe, you HAVE to install a clean OS offline and load the website in your offline instance. Your cold storage can be considered as compromised once the computer it has is connected to the internet.
full member
Activity: 148
Merit: 106
Thanks. So for ultimate safety you should take the hard route.

Is there such a spyware that can simultaneously log your keystrokes and capture your screen because that would be required to steal your encrypted private keys if you only intended to stamp them for example on a metal plate after seeing them on a screen within an offline version of bitaddress.org?
hero member
Activity: 637
Merit: 502
You know that you can save the bitaddress.org page on your computer right?

No need to hope for the site to exist in the future.

When you run the proccess of private key creation using bitaddress.org is it enough to be offline or should you be made to jump through hoops by burning Linux installation, running it on a computer with harddrive plugged out, no internet connection etc.?

If you are 100% sure your computer is safe from spyware...
full member
Activity: 148
Merit: 106
You know that you can save the bitaddress.org page on your computer right?

No need to hope for the site to exist in the future.

When you run the proccess of private key creation using bitaddress.org is it enough to be offline or should you be made to jump through hoops by burning Linux installation, running it on a computer with harddrive plugged out, no internet connection etc.?
full member
Activity: 148
Merit: 106
I do! Thanks. I would only put my mind at more ease knowing that recreating something like BIP38 protocol is relatively simple task for the educated.
hero member
Activity: 637
Merit: 502
You know that you can save the bitaddress.org page on your computer right?

No need to hope for the site to exist in the future.
full member
Activity: 148
Merit: 106
Lets say you use this page in an offline mode, print the encrypted keys, stamp it on metal, store it somewhere in a vault etc.
That should provide you reasonable security.

However, that site is the only one I could find doing the decryption of encrypted private keys.
The fear that I have is that if the site is gone would you be able to employ a sufficiently able programmer to create an encryption/decryption program with the information publicly available regarding this encryption protocol?

Thanks
Jump to: